The present invention relates to authentication systems.
Many organizations rely on strong authentication technology for functions related to interaction with their customers. For example, strong authentication technology may be used for a “gatekeeper” function, i.e., providing access to the organization's resources only if the customer can be authenticated as a valid user. In many cases, it is undesirable for such organizations to set up and maintain an authentication infrastructure. Accordingly, third party establishments have developed systems that provide an authentication service to such organizations. Traditionally these services are targeted towards an enterprise customer that leverages these authentication services to provide outsourced verification of user authentication credentials when accessing internal resources, such as Remote Access Servers, VPN, and Employee Portals.
The authentication services that exist today are focused on providing individual subscribing organizations with an individual authentication solution that they and only they can leverage. This approach requires a user of multiple subscribing organizations to carry a separate authenticating device for each subscribing organization, thus creating a situation where users are burdened with the number of devices that they manage, carry and use.
Limitations That Exist With Current Authentication Services
There are only a limited number of strong authentication services that are available to organizations today. However, these services typically include a direct link between the personal data associated with the user and the subscribing site that is known to the service.
With such a direct link into the personal data, the security of a user's identity is weakened instead of strengthened. The authentication service providers typically assume that the need for a direct link into this personal data is required to reduce management and token synchronization issues that can exist as devices are shared between organizations.
The existing services that offer an organization strong authentication are not currently seeking to leverage the single user device across multiple subscribing sites. Doing so has the potential to make the user's experience complex and confusing, which is obviously counterproductive for services trying to encourage wider use of strong authentication technology.
Existing authentication services do not offer a full complement of services surrounding the authentication. The centralization of authentication is only successful if the service can also offer direct end user device distribution, direct end user support and temporary access processes. Distribution is currently limited to bulk shipment of devices to the individual organizations and then requiring the individual organizations to distribute the devices themselves.
Conventional distribution models for authentication devices are typically based upon the authentication device being assigned to an individual prior to distribution. This type of authentication device distribution model suffers from significant limitations.
First, the conventional distribution model requires administrators to determine the relationship between the authentication device and the end user prior to actual distribution. An example that illustrates this limitation is the issuance of Credit Cards. Credit Cards are assigned to an individual user within the issuance process and are then distributed to that user.
Moreover, the process of pre-assigning the authentication device to the user causes a delay in the distribution process that can cause inconvenience to the user that is exacerbated in a consumer environment. Further, pre-assigning the security device can cause security breach if the device is intercepted and already bound to the user.
Given the current demand for a strong authentication service in consumer-facing applications and the limitations in the prior approaches, an approach for distribution of authenticators to end users that does not suffer from the limitations associated with the conventional authenticator distribution model is highly desirable. In particular, an approach for distribution of authentication devices to consumers that allows for the separation of distribution from the assignment of that authentication device to the user is needed.
There is a further need for an approach of authentication device distribution directly to end users on an “on demand” basis in a scalable timely manner that avoids the administrative burden that is used in the conventional distribution models.